Hello Phil,
We are working on the issue, but not sure what the root cause is yet.
If you could try the new installer I have just uploaded, it would be a
big help for us. (Please note that the version remains the same 1.1.15.)
----- On 4 Jan, 2016, at 16:45, Rich Megginson rmeggins(a)redhat.com
wrote:
> On 01/04/2016 09:23 AM, Phil Daws wrote:
>> Hello Rich,
>>
>> Have ran in debug mode and connected to the admin interface which has been
>> secured with a cert:
>>
>> {SUBJECT_DN=CN=ads01-admin.lab, SUBJECT={CN=ads01-admin},
>> SERIAL=8741097289627376099, AFTERDATE=Tue Dec 19 14:05:35 2017,
>> ISSUER={CN=LAB-CA, O=LAB, C=GB}, SIGNATURE=SHA256withRSA, BEFOREDATE=Sun Dec 20
>> 14:05:35 2015, KEYTYPE=RSA, REASONS={}, VERSION=3, ISSUER_DN=C=GB, O=LAB,
>> CN=LAB-CA}
>> JButtonFactory: button width = 54
>> JButtonFactory: button height = 20
>> JButtonFactory: button width = 54
>> JButtonFactory: button height = 20
>> JButtonFactory: button width = 72
>> JButtonFactory: button height = 20
>> JButtonFactory: button width = 72
>> JButtonFactory: button height = 20
>> JButtonFactory: button width = 54
>> JButtonFactory: button height = 20
>> JButtonFactory: button width = 72certain
>> HttpsChannel::select(...) - SELECT CERTIFICATE
>> Unable to create ssl socket
>> org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8186)
>> security library: invalid algorithm.
>> at org.mozilla.jss.ssl.SSLSocket.forceHandshake(Native Method)
>> at com.netscape.management.client.comm.HttpsChannel.open(Unknown Source)
>> at com.netscape.management.client.comm.CommManager.send(Unknown Source)
>> at com.netscape.management.client.comm.HttpManager.get(Unknown Source)
>> at com.netscape.management.client.console.Console.invoke_task(Unknown Source)
>> at com.netscape.management.client.console.Console.authenticate_user(Unknown
>> Source)
>> at com.netscape.management.client.console.Console.<init>(Unknown Source)
>> at com.netscape.management.client.console.Console.main(Unknown Source)certain
>>
>> So it accepts the admin certificate fine but then shows an empty selection box
>> for a certificate ?
> Not sure what it means by "invalid algorithm" but it looks as though
> that is the root cause. The console doesn't know what to do with that
> error, so it asks you to select another cert, which is just a
> distraction at that point. Please open a ticket.
Hmm, but that "invalid algorithm" message only appeared when I clicked on
continue with no certificate showing in the selection dropdown list. The admin
certificate was accepted fine and then it showed the empty selection list.
>
>
>> Thanks, Phil
>>
>> ----- On 4 Jan, 2016, at 15:50, Rich Megginson rmeggins(a)redhat.com wrote:
>>
>>> On 01/04/2016 01:11 AM, Phil Daws wrote:
>>>> Any thoughts on this please ?
>>>>
>>>> ----- On 20 Dec, 2015, at 16:02, Phil Daws uxbod(a)splatnix.net wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> Have now got to the point where it says "Select a certificate to
authenticate"
>>>>> yet the drop down box is empty.
>>> Can you run the console with -D 9 -f console.log, then check console.log
>>> to remove any sensitive information, then post that to this list? The
>>> easiest way to do this is to make a copy of the .bat file that runs the
>>> console, then add those arguments to the command line in the copy of the
>>> .bat file.
>>>
>>> I'm assuming you have not configured the admin server/directory server
>>> to require client cert authentication. If you don't know, then you
>>> probably haven't.
>>>
>>>>> If I check the NSS database it looks okay ?
>>>>>
>>>>> D:\Scratch\firefox_add-certs\bin>certutil.exe -d
"c:\Documents and
>>>>> Settings\pmdaws\.389-console" -L
>>>>>
>>>>> Certificate Nickname Trust
Attributes
>>>>>
SSL,S/MIME,JAR/XPI
>>>>>
>>>>> LAB CA Certificate CT,,
>>>>> Phil Daws p,p,p
>>>>>
>>>>> Seems as though the console is not picking them up :(
>>>>>
>>>>> Thanks, Phil
>>>>> ----- On 15 Dec, 2015, at 20:35, Noriko Hosoi nhosoi(a)redhat.com
wrote:
>>>>>
>>>>>> On 12/15/2015 11:40 AM, Phil Daws wrote:
>>>>>>> Hello,
>>>>>>>
>>>>>>> Unfortunately I do not have a console under Fedora/RHEL.
>>>>>>>
>>>>>>> I can log into the Administration console fine, but when I
click on Server
>>>>>>> Group, and then double click on the Directory Server it
prompts me for the
>>>>>>> Distinguished name and password. The status is showing as:
>>>>>>>
>>>>>>> Server status: Stopped
>>>>>>> Port: 636
>>>>>>>
>>>>>>> The ports are listening fine:
>>>>>>>
>>>>>>> Active Internet connections (only servers)
>>>>>>> Proto Recv-Q Send-Q Local Address Foreign Address
State
>>>>>>> PID/Program name
>>>>>>> tcp 0 0 0.0.0.0:22 0.0.0.0:*
LISTEN
>>>>>>> 301/sshd
>>>>>>> tcp 0 0 0.0.0.0:9830 0.0.0.0:*
LISTEN
>>>>>>> 1261/httpd
>>>>>>> tcp6 0 0 :::22 :::*
LISTEN
>>>>>>> 301/sshd
>>>>>>> tcp6 0 0 :::636 :::*
LISTEN
>>>>>>> 1196/ns-slapd
>>>>>>> tcp6 0 0 :::389 :::*
LISTEN
>>>>>>> 1196/ns-slapd
>>>>>>>
>>>>>>> So am guessing it's probably due to when I enabled
"Secure Connection" in the
>>>>>>> console :(
>>>>>>>
>>>>>>> Any thoughts please ?
>>>>>> Not sure yet, but did you have a chance to see this section?
>>>>>>
http://www.port389.org/docs/389ds/howto/howto-ssl.html#admin-server-tlsss...
>>>>>>> Thanks, Phil
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ----- On 15 Dec, 2015, at 19:01, Noriko Hosoi
nhosoi(a)redhat.com wrote:
>>>>>>>
>>>>>>>> On 12/15/2015 09:51 AM, Phil Daws wrote:
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> I have 389 up and running in my lab, with encryption
enabled, but when I connect
>>>>>>>>> too the Administration panel and double click on the
Directory Server it just
>>>>>>>>> hangs. The CA certificate has been imported using:
>>>>>>>>>
>>>>>>>>> d:\Scratch\firefox_add-certs\bin>certutil -A -d
"C:\Documents and
>>>>>>>>> Settings\phild\.389-console" -n "CA
Certificate" -t CT,, -i
>>>>>>>>> d:\Downloads\CA-chain.pem -a
>>>>>>>>>
>>>>>>>>> Am I missing something obvious please ?
>>>>>>>>>
>>>>>>>>> Thanks, Phil
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> 389 users mailing list
>>>>>>>>> 389-users@%(host_name)s
>>>>>>>>>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>>>>>>>> Administration URL starts with https?
>>>>>>>>
>>>>>>>> If you use Console on Fedora/RHEL, you have no problem?
>>>>>>>>
>>>>>>>> Thanks.
>>>>>>>> --
>>>>>>>> 389 users mailing list
>>>>>>>> 389-users@%(host_name)s
>>>>>>>>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>>>>>>> --
>>>>>>> 389 users mailing list
>>>>>>> 389-users@%(host_name)s
>>>>>>>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>>>>>> --
>>>>>> 389 users mailing list
>>>>>> 389-users@%(host_name)s
>>>>>>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>>>>> --
>>>>> 389 users mailing list
>>>>> 389-users@%(host_name)s
>>>>>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>>>> --
>>>> 389 users mailing list
>>>> 389-users@%(host_name)s
>>>>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>>> --
>>> 389 users mailing list
>>> 389-users@%(host_name)s
>>>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>> --
>> 389 users mailing list
>> 389-users@%(host_name)s
>>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
> --
> 389 users mailing list
> 389-users@%(host_name)s
>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org